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Abstract. We characterize the compiexity of iiveness verification for parame¬ 
terized systems consisting of a ieader process and arbitrariiy many anonymous 
and identicai contributor processes. Processes communicate through a shared, 
bounded-vaiue register. White each operation on the register is atomic, there is no 
synchronization primitive to execute a sequence of operations atomicaiiy. 

We anaiyze the case in which processes are modeied by finite-state machines or 
pushdown machines and the property is given by a Buchi automaton over the 
aiphabet of read and write actions of the ieader. We show that the probiem is 
decidabie, and has a surprisingiy iow compiexity: it is NP-compiete when aii 
processes are finite-state machines, and is PSPACE-hard and in NEXPTIME 
when they are pushdown machines. This compiexity is iower than for the non- 
parameterized case: iiveness verification of finiteiy many finite-state machines is 
PSPACE-compiete, and undecidabie for two pushdown machines. 

For finite-state machines, our proofs characterize infinite behaviors using existen- 
tiai abstraction and semiiinear constraints. For pushdown machines, we show how 
contributor computations of high stack height can be simuiated by computations of 
many contributors, each with iow stack height. Together, our resuits characterize 
the compiexity of verification for parameterized systems under the assumptions of 
anonymity and asynchrony. 


1 Introduction 

We study the verification problem for parameterized asynchronous shared-memory 
systems [12,9]. These systems consist of a leader process and arbitrarily many iden¬ 
tical contributors, processes with no identity, running at arbitrary relative speeds.The 
shared-memory consists of a read/write register that all processes can access to perform 
either a read operation or a write operation. The register is bounded: the set of values 
that can be stored is finite. Read/write operations execute atomically but sequences of 
operations do not: no process can conduct an atomic sequence of reads and writes while 
excluding all other processes. In a previous paper [9], we have studied the complexity of 
safety verification, which asks to check if a safety property holds no matter how many 
contributors are present. In a nutshell, we showed that the problem is coNP-compIete 
when both leader and contributors are finite-state automata and PSPACE-compiete when 
they are pushdown automata. 

In this paper we complete the study of this model by addressing the verification of 
Iiveness properties specified as cu-regular languages (which in particular encompasses 
LTL model-checking). Given a property like “every request is eventually granted” and a 



system with a fixed number of processes, one is often able to guess an upper bound on 
the maximal number of steps until the request is granted, and replace the property by 
the safety property “every request is granted after at most K steps.” In parameterized 
systems this bound can depend on the (unbounded) number of processes, and so reducing 
liveness to safety, or to finitary reasoning, is not obvious. Indeed, for many parameterized 
models, liveness verification is undecidable even if safety is decidable [8,13]. 

Our results show that there is no large complexity gap between liveness and safety 
verification; liveness verification (existence of an infinite computation violating a prop¬ 
erty) is NP-complete in the finite-state case, and PSPACE-hard and in NEXPTIME in 
the pushdown case. In contrast, remember that liveness checking is already PSPACE- 
complete for a finite number of finite-state machines, and undecidable for a fixed number 
of pushdown systems. Thus, not only is liveness verification decidable in the param¬ 
eterized setting but the complexity of the parameterized problem is lower than in the 
non-parameterized case, where all processes are part of the input. We interpret this as 
follows: in asynchronous shared-memory systems, the existence of arbitrarily many 
processes leads to a “noisy” environment, in which contributors may hinder progress 
by replying to past messages from the leader, long after the computation has moved 
forward to a new phase. It is known that imperfect communication can reduce the power 
of computation and the complexity of verification problems: the best known example are 
lossy channel systems, for which many verification problems are decidable, while they 
are undecidable for perfect channels (see e.g. [3,1]). Our results reveal another instance 
of the same phenomenon. 

Technically, our proof methods are very different from those used for safety verifica¬ 
tion. Our previous results [9] relied on a fundamental Simulation Lemma, inspired by 
Hague’s work [12], stating that the finite behaviors of an arbitrary number of contributors 
can be simulated by a finite number of simulators, one for each possible value of the 
register. Unfortunately, the Simulation Lemma does not extend to infinite behaviors, and 
so we have to develop new ideas. In the case in which both leader and contributors are 
finite-state machines, the NP-completeness result is obtained by means of a combination 
of an abstraction that overapproximates the set of possible infinite behaviors, and a 
semilinear constraint that allows us to regain precision. The case in which both leader 
and contributors are pushdown machines is very involved. In a nutshell, we show that 
pushdown runs in which a parameter called the effective stack height grows too much 
can be “distributed” into a number of runs with smaller effective stack height. We then 
prove that the behaviors of a pushdown machine with a bounded effective stack height 
can be simulated by an exponentially larger finite-state machine. 

Related Work. Parameterized verification has been studied extensively, both theoretically 
and practically. While very simple variants of the problem are already undecidable [6], 
many non-trivial parameterized models retain decidability. There is no clear “rule of 
thumb” that allows one to predict what model checking problems are decidable, nor 
their complexities, other than “liveness is generally harder than safety.” Eor example, 
coverability for Petri nets—in which finite-state, identityless processes communicate via 
rendezvous or global shared state— is EXPSPACE-complete, higher than the PSPACE- 
completeness of the non-parameterized version, and verification of liveness properties 
can be equivalent to Petri net reachability, for which we only know non-primitive re- 
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cursive upper bounds, or even undecidable. Safety verification for extensions to Petri 
nets with reset or transfer, or broadcast protocols, where arbitrarily many finite-state 
processes communicate through broadcast messages, are non-primitive recursive; live¬ 
ness verification is undecidable in all cases [2,8,13]. Thus, our results, which show 
simultaneously lower complexity than non-parameterized problems, as well as similar 
complexity for liveness and safety, are quite unexpected. 

German and Sistla [10] and Aminof et al. [4] have studied a parameterized model 
with rendezvous as communication primitive, where processes are finite-state machines. 
Model checking the fully symmetrical case—only contributors, no leaders—runs in 
polynomial time (other topologies have also been considered [4]), while the asymmetric 
case with a leader is EXPSPACE-complete. In this paper we study the same problems, 
but for a shared memory communication primitive. 

Population protocols [5] are another well-studied model of identityless asynchronous 
finite-state systems communicating via rendezvous. The semantics of population proto¬ 
cols is given over fair runs, in which every potential interaction that is infinitely often 
enabled is infinitely often taken. With this semantics, population protocols compute 
exactly the semilinear predicates [5]. In this paper we do not study what our model can 
compute (in particular, we are agnostic with respect to which fairness assumptions are 
reasonable), but what we can compute or decide about the model. 

2 Formal Model: Non-Atomic Networks 

In this paper, we identify systems with languages. System actions are modeled as symbols 
in an alphabet, executions are modeled as infinite words, and the system itself is modeled 
as the language of its executions. Composition operations that combine systems into 
larger ones are modeled as operations on languages. 

2.1 Systems as languages 

An alphabet 2" is a finite, non-empty set of symbols. A word over 2” is a finite sequence 
over E including the empty sequence denoted e, and a language is a set of words. 
An co-word over 2” is an infinite sequence of symbols of 2", and an co-language is 
a set of m-words. We use E* (resp. 2"") to denote the language of all words (resp. 
w-words) over E. When there is no ambiguity, we use “words” to refer to words or 
m-words. We do similarly for languages. Let w be a sequence over some alphabet, define 
dom(w) = (1,..., n] if w = is a word; else (w is an w-word) dom(w) denote 

the set N \ [0]. Elements of dom(w) are called positions. The length of a sequence w 
is defined to be supdom(w) and is denoted |w|. We denote by (w), the symbol of w at 
position i if i e dom(w), s otherwise. Moreover, let (w)i,.j with i, J € N and i < j denote 
(w);(w),+i . .. (w)j. Also (w);..oo denotes (w),(w),+i ... For words u,v e (2" U 2*), we say 
M is a prefix of v if either u -v or u e E* and there is a w e (2"" U 2"*) such that v = uw. 

Combining systems: Shuffle. Intuitively, the shuffle of systems Li and L 2 is the system 
interleaving the executions of Li with those of L 2 . Given two m-languages Li c 2" and 
L 2 £ 2", their shuffle, denoted by L\ 0 L 2 , is the «-language over (2'i U 2'2) defined 
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as follows. Given two w-words x e e X'", we say that z e (i^i U 22 )" is an 

interleaving of x and y if there exist (possibly empty) words xi, X 2 ,..., x,,... e iTj and 
y\,y2, ■ ■ ■ ,yi, ■ ■ ■ ^ ^2 ■^ 1-^2 • • • X, is a prefix of x, and each yiy2 • • -y, is a 

prehx of y, and z = xiyiX 2 y 2 • • • xiyt • ■ • e 2"" is an w-word. Then Li (i L 2 - U;ceLi,yeL 2 -^ (l 
y, where x 0 y denotes the set of all interleavings of x and y. For example, if L\ — ab‘^ 
and L 2 - ab^, we get Li L 2 - (a + ab*a)b‘^. Shnffle is associative and commutative, 
and so we can write Li 0 • • • 0 L„ or L,-. 

Combining systems: Asynchronous product. The asynchronous product of L\ c 2"" 
and L 2 £ 2 "" also interleaves the executions but, this time, the actions in the common 
alphabet must now be executed jointly. The w-language of the resulting system, called 
the asynchronous product of Ly and L 2 , is denoted by Ly || L 2 , and defined as follows. 
Let Projjyiw) be the word obtained by erasing from w all occurrences of symbols not 
in 2". Ly II L 2 is the w-language over the alphabet 2 = 2i U 22 such that w e Li || L 2 
iff Proj^y^iw) and ProjjyJyiv) are prefixes of words in Ly and L 2 , respectively. We abuse 
notation and write wy || L 2 instead of (wi) || L 2 when Ly - (wi). For example, let 
Hy - {a, c) and X 2 - {b, c). For Ly - (ac)" and L 2 - (bc)'^ we get Ly 11^2 = ((ab+ba)c)‘^. 
Observe that the language Ly || L 2 depends on Ly, L 2 and also on2'i and 22 . For example, 
if 2 'i = {a} and 22 = {b}, then {a") || {fi") = (a + fi)", but if 2 i = {a,b} = 2 ' 2 , then 
(a") II {fi") = 0. So we should more properly write Ly Hxi.Xj 1^2- Flowever, since the 
alphabets Ey and E 2 will be clear from the context, we will omit them. Like shuffle, 
asynchronous product is also associative and commutative, and so we write Ly || ■ ■ ■ || L„. 
Notice finally that shuffle and asynchronous product coincide if 2i n 2'2 = 0, but usually 
differ otherwise. For instance, if Ly - ab‘^ and L 2 - ab^, we get Ly || L 2 - ab^. 

We describe systems as combinations of shuffles and asynchronous products, for 
instance we write Ly || (L 2 0 L 3 ). In these expressions we assume that binds tighter 
than II, and so Ly L 2 || L 3 is the language (Ly L 2 ) || L 3 , and not Ly (L 2 || L 3 ). 

2.2 Non-atomic networks 

A non-atomic network is an infinite family of systems parameterized by a number k. The 
kth element of the family has k + \ components communicating through a global store 
by means of read and write actions. The store is modeled as an atomic register whose set 
of possible values is finite. One of the k + I components is the leader, while the other k 
are the contributors. All contributors have exactly the same possible behaviors (they are 
copies of the same w-language), while the leader may behave differently. The network is 
called non-atomic because components cannot atomically execute sequences of actions, 
only one single read or write. 

Formally, we fix a finite set Q of global values. A read-write alphabet is any set 
of the form where .91 is a set of read and write (actions). We denote a symbol 

(a,g) e 91 xg by a(g) and define g(ay, ... ,a„) = {a,(g) I 1 < / < n, g e ^). 

We fix two languages D £ E^ and C £ 2^, called the leader and the contributor, 
with alphabets 2 ® = Q(rd, wj) and Eq — QiPc, Wc), respectively, where r^, rc are called 
reads and Wc, Wd are called writes. We write w* (respectively, r*) to stand for either Wc 
or Wd (respectively, r^. or rd). We further assume that Proj^^^y^^.^ „^ygy^(D U C) 3^^ 0 holds 
for every g ^ Q, else the value g is never used and can be removed from Q. 
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Fig. 1. Transition systems describing languages O, S, and C. We write rw^(g) = r^(g) U H’*(g) = 
kc(g). rj(g)] U (vVcCg), Wrf(g)). The transition system for S is in state i e {1,2,3) when the current 
value of the store is i. 

Additionally, we fix an w-langnage S, called the store, over Ej) U Eq. It models 
the seqnences of read and write operations snpported by an atomic register: a write 
w*(g) writes g to the register, while a read r*(g) sncceeds when the register’s cnrrent 
value is g. Initially the store is only willing to execute a write. Formally S is dehned as 

(r*(8)y if + {llgeg ( (r*(8)y )* llgeg ( (r*(8))‘^ )) and any 

finite prefix thereof. Observe that S is completely determined by Ej^ and Eq. Figure 1 
depicts a store with {1,2,3) as possible values as the language of a transition system. 

Definition 1. Let D c E^ and C £ E^ be a leader and a contributor, and let k > 1. 
The A:-instance of the (2), C)-network is the o-language Af® = (2) || || C) 

where stands for C. The (2), C)-network N is the oj-language N — U£i Af®. 
We omit the prefix (2),C) when it is clear from the context. It follows easily from the 
properties of shuffle and asynchronous product that N — (2) || S || where is 

an abbreviation of U£i 

Next we introduce a notion of compatibility between a word of the leader and a 
multiset of words of the contributor (a multiset because several contributors may execute 
the same sequence of actions). Intuitively, compatibility means that all the words can 
be interleaved into a legal inhnite sequence of reads and writes supported by an atomic 
register—that is, an inhnite sequence belonging to S. Formally: 

Definition 2. Let u e Ef^, and let M — {vi,... ,Vk] be a multiset of words over E^ 
(possibly containing multiple copies of a word). We say that u is compatible with M iff 
the u)-language (u || S || v,) is non-empty. When u and M are compatible, there 

exists a word s e S such that (u || s || v,) %. We call s a witness of compatibility. 

Example 1. Consider the network with ^ = {1,2,3) where the leader, store, and contrib¬ 
utor languages are given by the inhnite paths of the transition systems from Figure 1. 
The only w-word of 2) is (rj(l)rj(2)rj(3))“ and the w-language of C is (Wc(l)r;,(3)rc(l) -t 
Wc(2)rc(l)rc(2) -H Wc(3)rc(2)rc(3))". For instance, 2) = (rd(l)rd(2)rd(3))‘^ is compatible 
with the multiset M of 6 m-words obtained by taking two copies of (w(l)r(3)r(l))", 
(w(2)r(l)r(2))" and (w(3)r(2)r(3))“. The reader may be interested in hnding another 
multiset compatible with 2) and containing only 4 «-words. 
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Stuttering property. Intuitively, the stuttering property states that if we take an w-word 
of a network N and “stutter” reads and writes of the contributors, going e.g. from 
Wd(i)rc(i)Wc(2)rd(2) ... to Wd(l)rc(l)rc(l)Wc(2)wc(2)wc(2)rd(2) ..., the result is again 
an cu-word of the network. 

Let s e be a witness of compatibility of m e and M = {vi,, Vk). Pick a set I 
of positions (viz. I c dom(s)) such that (s),- e Eq for each i e /, and pick a number (i > 0 
for every i e I. Let s be the result of simultaneously replacing each (s), by (s)/ in s. 

ti 

We have that s' e S. Now let Vj = (s)^.'' • ■ ■ •, where ii = min(/), 12 - min(/ \ {/i)), 

... It is easy to see that (u || s' 1| Vj 0 v,) 0, and so u is compatible with M © (vj), 

the multiset consisting of M and Vj, and s' is a witness of compatibility. 

An easy consequence of the stuttering property is the copycat lemma [9]. 

Lemma 1 (Copycat Lemma). Let u e E‘^ and let M be a multiset of words ofEf. Ifu 
is compatible with M, then u is also compatible with M © {v}for every v € M. 

2.3 The Model-checking Problem for Linear-time Properties 

We consider the model checking problem for linear-time properties, that asks, given 
a network N and an m-regular language L, decide whether N || L is non-empty. We 
assume L is given as a Biichi automaton A over 2®. Intuitively, A is a tester that observes 
the actions of the leader; we call this the leader model checking problem. 

We study the complexity of leader model checking for networks in which the read- 
write w-languages D and C of leader and contributor are generated by an abstract 
machine, like a finite-state machine (FSM) or a pushdown machine (PDM). (We give 
formal definitions later.) More precisely, given two classes of machines D, C, we study 
the model checking problem MC(D, C) defined as follows: 

Given: machines D e D and C e C, and a Biichi automaton A 
Decide: Is Na = (L(A) || L(D) || .S || L'L(C)) non-empty? 

In the next sections we prove that MC(FSM, FSM) and MC(PDM, FSM) are NP-complete, 
while MC(PDM, PDM) is in NEXPTIME and PSPACE-hard. 

Example 2. Consider the instance of the model checking problem where D and C are 
as in Figure 1, and A is a Biichi automaton recognizing all words over 2® containing 
infinitely many occurrences of rd{Y). Since D is compatible with a multiset of words of 
the contributors, Na is non-empty. In particular, N^^^ + 0. 

Since Ea - 2®, we can replace A and D by a machine A x D with a Biichi acceptance 
condition. The construction of A x D given A and D is standard. In what follows, we 
assume that D comes with a Biichi acceptance condition and forget about A. 

There are two natural variants of the model checking problem, where Ea - Eq, i.e., 
the alphabet of A contains the actions of all contributors, or Ea = 2® U 2^. In both 
these variants, the automaton A can be used to simulate atomic networks. Indeed, if the 
language of A consists of all sequences of the form (w^OrcOwcOr^O)", and we design 
the contributors so that they alternate reads and writes, then the accepting executions 
are those in which the contributors read a value from the store and write a new value in 
an atomic step. So the complexity of the model-checking problem coincides with the 
complexity for atomic networks (undecidable for PDMs and EXPSPACE-complete for 
FSMs), and we do not study it further. 
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3 MC(FSM, FSM) is NP-complete 


We fix some notations. A finite-state machine (FSM) (Q, 6, qo) over Z consists of a finite 
set of states Q containing an initial state and a transition relation dcQxZxQ. A 
word V e ii" is accepted by an FSM if there exists a sequence qiq 2 ■ ■ ■ of states such 

(f)i (y)2 

that (qi, (v)i+i,qi+i) e 6 for all i > 0. We denote by qo —> qi — > ■ ■ ■ the run accepting 
V. A Biichi automaton (Q, 6, qo, F) is an FSM (Q, 6, qo) together with a set F c g of 
accepting states. An <y-word v e 2"" is accepted by a Biichi automaton if there is a run 

(y)i (v)2 

qo — * qi —> ■ ■ ■ such that qj e F for infinitely many positions j. The w-language of a 
FSM or Biichi automaton A, denoted by L(A), is the set of w-words accepted by A. 

In the rest of the section we show that MC(FSM, FSM) is NP-complete. Section 3.1 
defines the infinite transition system associated to a (FSM,FSM)-network. Section 3.2 
introduces an associated finite abstract transition system. Section 3.3 states and proves 
a lemma (Lemma 3) characterizing the cycles of the abstract transition system that, 
loosely speaking, can be concretized into infinite executions of the concrete transition 
system. Membership in NP is then proved using the lemma. NP-hardness follows from 
NP-hardness of reachability [9]. 


3.1 (FSM,FSM)-networks: Populations and transition system 

We fix a Biichi automaton D — (Qd, Sd, qoD, F) over 2® and an FSM C = (Qc, dc, qoc) 
over 2c. A configuration is a tuple (qD,g,p), where qo e Qo, g G {#), and p: Qc —> 
N assigns to each state of C a natural number. Intuitively, qo is the current state of D; g 
is a value or the special value #, modelling that the store has not been initialized yet, and 
no process read before some process writes; finally, p{q) is the number of contributors 
currently at state q e Qc- We call p a population of Qc, and write \p\ - YjqeQc 
the size of p. Linear combinations of populations are defined componentwise: for every 
state q e Qc, we have {k\pi + k2P2)iq) ■- kipfiq) + k2Pi{q). Further, given q e Qc, 
we denote by q the population q{q') — \ if q — q' and q{q') - 0 otherwise, i.e., the 
population with one contributor in state q and no contributors elsewhere. A configuration 
is accepting if the state of D is accepting, that is whenever qo e F. Given a set of 
populations P, we define (qo,g, P) := {(qD,g,p) I P G P}- 

The labelled transition system TS - (X, T, Aq) associated to Na is defined as follows: 

- A is the set of all configurations, and Aq £ A is the set of initial configurations, given 
by iqoo,#, Po), where Pq = {kqoc I ^ > 1); 

- T - Tok) Tc, where 

• To is the set of triples ( (qo, g,p), t, (q'j^, g',p)) such that f is a transition of D, 
viz. t e do, and one of the following conditions holds: (i) t - (qo, wfig'), q'o)', 
or (ii) t = (qo, rfig), q'jfi, g = g'. 

• Tc is the set of triples ((qo,g,p), t, (qo,g',p')) such that t e 5c, and one 
of the following conditions holds: (iii) t — (qc,Wc(g'),q'c)^ P 2 qc, and p' — 
p-qc + q'f,', or (iv) t = (qc, rc(g), q'^), P>qc,g^ g', and p' = p - qc + q'^- 

Observe that \p\ - \p'\, because the total number of contributors of a population 
remains constant. Given configurations c and c', we write c—>c' if (c, t, c') e T. 
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We introduce a notation important for Lemma 3 below. We define /1(f) := p'-p. Observe 
that /)(f) = 0 in cases (i) and (ii) above, and A(t) - -qc + qc in cases (iii) and (iv). So 
A{f) depends only on the transition f, but not on p. 


3.2 The abstract transition system 

We introduce an abstraction function a that assigns to a set P of populations the set of 
states of Qc populated by P. We also introduce a concretization function y that assigns 
to a set 2 c Qc the set of all populations p that only populate states of Q. Formally: 
a(P) - {q& Qc\ Piq) ^ 1 for some p e P} 
j(Q) = {p I piq) = 0 for every qeQc\Q} . 

It is easy to see that a and y satisfy yiaiP)) 2 P and a(y(Q)) - Q, and so a and y form 
a Galois connection (actually, a Galois insertion). An abstract configuration is a tuple 
(qD,g, Q), where qo e Qd, g ^ Q A {#), and Q c Qc. We extend a and y to (abstract) 
configurations in the obvious way. An abstract configuration is accepting when the state 
of D is accepting, that is whenever qo e F. 

Given TS = (X, T, Xf), we define its abstraction aTS = (aX, aT, aXf) as follows: 

- aX^QoXigu {#)) X 22^ is the set of all abstract configurations. 

- aXo - (goD, #, a(Po)) - (qoo, #, {^ocD is the initial configuration. 

- ( (qD,g, Q), t, iq'jj,g', Q')) e aT iff there is p e yiQ) and p' such that 

(qD,g,p)-^ (q'c,g',p') and Q' ^ ai{p' \ ApeyiQ): (qD,g,p)-^ (q'j^,g',p')}). 
Observe that the number of abstract configurations is bounded hy K - \Qd\ ■\0\ + i- 2l2cl. 
Let us point out that our abstract transition system resembles but is different from that 

t 

of Pnueli et al.[14]. We write a if U ^ o:T. The abstraction satisfies the 

following properties: 

t\ ^2 ^1 ^2 

(A) For each m-path cq —> ci ^ C 2 • • ■ of TS, there exists an m-path ao —>q; fli -^a 

fl 2 ■ ■ ■ in aTS such that c, e 7 ( 0 ,) for all i > 0. 

(B) If {go, g, Q) (q'o^ g', Q'), then QcQ'. 

To prove this claim, consider two cases: 

t 

• t e 6 d‘ Then (qo^g^p) Wo^g'^P) for every population p (because only the 

leader moves). So {qo, g, Q) (^^, g', Q). 

• f 6 dc- Consider the population p - 2 TjqeQ q e yiQ). Then iqD,g,p) ^ 

iqD,g',p'), where p' ^ p-qc + qc' ■ But then p' > YjqeQ q, and so ai{p')) 2 Q, 

which implies iqD,g, Q)^a iqD,g', Q') for some Q' 2 Q. 

t\ t2 

So in every m-path ao —>« fli -^a 02 -■■ of aTS, where a, = iqohgh Qd, there is an 
index i at which the Qi stabilize, that is, Qi - Qi+t holds for every k>0. However, the 

t\ t2 

converse of (A) does not hold: given a path ao —>q. ai -^a 02 - ■■ of aTS, there may be no 

t\ ^2 

path Co —> Cl ^ C 2 ■ • ■ in LS such that Ci e yiad for every i > 0. Consider a contributor 
machine C with two states qo, q\ and one single transition t — igo, Wc(l), ^ 1 ). Then aTS 
contains the infinite path (omitting the state of the leader, which plays no role): 

t t t 

i#,{qo})^a (l,{?o,?i))->a Q,{qo,q\])^a (l,{?o,?i))'" 
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However, the transitions of TS are of the form (1, A:o^o+^i^?i) —> (1, (^o-l)?o+(^i + l)^'i )7 
and so TS has no infinite paths. 


3.3 Realizable cycles of the abstract transition system 

We show that the existence of an infinite accepting path in TS reduces to the existence 
of a certain lasso path in aTS. A lasso path consists of a stem and a cycle. Lemma 2 
shows how every abstract finite path (like the stem) has a counterpart in TS. Lemma 3 
characterizes precisely those cycles in aTS which have an infinite path counterpart in TS. 

Lemma 2. Let {qD,g,Q) be an abstract configuration of aTS reachable from 
(qoD,#, cr(Po)) (- aXo). For every p e y(Q), there exists p such that {qD,g,p) is reach¬ 
able from (qoD, Po) and p > p. 


Lemma 2 does not hold for atomic networks. Indeed, consider a contributor with tran- 

Pc{iy-Wc{2) rc{2):Wc{3) 

sitions qQ -> qi -> ^2 - * qs, where rdi) : wdj) denotes that the read 

and the write happen in one single atomic step. Then we have (omitting the state of the 
leader, which does not play any role here): 


W'c(l) 

(#,{?o)) 


(l,{^0,?i)) 


rM-.wgl) 


(2,{qQ,qi,q2}) 


r,(2):w,(3) 


(3Aqo,---,q3]) 


Let p be the population putting one contributor in each of qo,... ,qj. This population 
belongs to yAqo,... ,^ 3 )) but no configuration (3,p) with p > p is reachable from 
any population that only puts contributors in qo, no matter how many. Indeed, after 
the first contributor moves to q 2 , no further contributor can follow, and so we cannot 
have contributors simultaneously in both ^2 and q^. On the contrary, in non-atomic 
networks the Copycat Lemma states that what the move by one contributor can always 
be replicated by arbitrarily many. 

We proceed to characterized the cycles of the abstract transition system that can 


be “concretized”. A cycle of aTS is a path aq -^a -^a ^2 •'' -^a such that 

^1 ^2 

a„ — aQ. A cycle is realizable if there is an infinite path co —> ci ^ C2 • ■ ■ of TS such 
that Ck e y{a^k mod «)) and = fk+\ mod n) for every k > 0 . 


Lemma 3. A cycle ao -^a -^a 02 • • • -^a of aTS is realizable iffYIi=\ ^(h) — 0- 

Theorem 1. MC(FSJ^, FSM) is NP-complete. 


Proof. NP-hardness follows from the NP-hardness of reachability [9]. We show member¬ 
ship in NP with the following high-level nondeterministic algorithm whose correctness 
relies on Lemmas 2 and 3: 


1. Guess a sequence Q\,... ,Q( of subsets of Qc such that Qi C Qi+\ for all i, 0 < i < £. 
Note that i < \Qc\. 

2. Compute the set Q = Qo x (^ U {#)) x {{^oc)> Q\, ■ ■ ■, Qt) of abstract configurations 
and the set T of abstract transitions between configurations of Q. 

3. Guess an accepting abstract configuration a e Q, that is, an a = (qD,g, Q) such that 
qo is accepting in D. 
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4. Check that a is reachable from the initial abstract configuration (qoo,#, {?oc)) by 
means of abstract transitions of T. 

5. Check that the transition system with Q and T as states and transitions contains a 
cycle flo -^a cii ■ ■ ■ a„_i a„ such that n > I, oq — a„ — a and Yfi=i — 0- 

We show that the algorithm runs in polynomial time. First, because the sequence guessed 
is no longer than \Qc\, the guess can be done in polynomial time. Next, we give a 
polynomial algorithm for step (5): 

- Compute an FSA^ A® over the alphabet U 6c with Q as set of states, T as set of 
transitions, a as initial state, and {a} as set of final states. 

- Use the polynomial construction of Seidl et al. [15] to compute an (existential) 
Presburger formula Q for the Parikh image of L(A^). The free variables of £3 are in 
one-to-one correspondence with the transitions of 6d U 6c- Denote by Xt the variable 
corresponding to transition f e do U 6c- 

- Compute the formula 

Q — Q /\ f\q^eQc{^tgt(t)=qc — Yjsrc(f)=qc ''•») ^ luteSoUSc > 0 

where tgt and src returns the target and source states of the transition passed in 
argument. O' adds to Q the realizability condition of Lemma 3. 

- Check satisfiability of Q'. This step requires nondterministic polynomial time be¬ 
cause satisfiability of an existential Presburger formula is in NP [11]. □ 

4 MC(PDM, FSM) is NP-complete 

A pushdown system (PDM) P — (Q, P, 6, qo) over E consists of a finite set Q of states 
including the initial state q^, a stack alphabet P including the bottom stack symbol 
±, and a set of rules 6 c QxExPxQx (/’\(±] U [pop]) which either push or pop 
as explained below. A PDM-configuration qw consists of a state q c Q and a word 
w e P* (denoting the stack content). For q,q' e Q, a e Z, y, y' e P, w, w' e P*, we 
say a PDM-configuration q'w (resp. q'y'yw) a-follows qyw if (q, a, y, q', pop) e 6, (resp. 
(g, a, y, q', y') e d); we write qw q'w' if q'w' a-follows qw, and call it a transition- A 

(^)l ('')2 

run Co —> Cl —> ... on a word v e 2"" is a sequence of PDM-configurations such that 

(y)i+i * 

Co = ^ 0 -L and Ci -^ Ci+i for all i > 0. We write c ^ c' if there is a run from c to c'. 

The language L(P) of P is the set of all words v e 2" such that P has a run on v. 

A Biichi PDM is a PDM with a set F" c g of accepting states. A word is accepted by 
a Biichi PDM if there is a run on the word for which some state in F occurs infinitely 
often along the PDM-configurations. The following lemma characterizes accepting mns. 

Lemma 4. [7] Let c be a configuration. There is an accepting run starting from c if 

* 

there are states q C Q, qf C F, a stack symbol y C P such that c —> qyw for some w € P* 
* * 

and qy —> qyu —> qyw' for some u, w' e P*. 

' A finite-state automaton (FSA) is an FSM which decides languages of finite words. Therefore 
an FSA is an FSM with a set F of accepting states. 
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We now show MCCPDM, FSM) is decidable, generalizing the proof from Section 3. Fix 
a Biichi PDM P - (Qd, F/j, 60 , qoD, F), and a FSM C = (Qc, <?oc)- A configuration 
is a tuple {qi,,w, g, p), where q^ e Qd,w e the stack content, g e ^ U {#), and p 
is a population. Intuitively, q^w is the PDM-configuration of the leader. We extend the 
definitions from Section 3 like accepting configuration in the obvious way. 

We define a labeled transition system TS - {X, T, Xq), where X is the set of con¬ 
figurations including the set Xq = (qoo, ±,#, Po) of initial configurations, and the 
transition relation T = Tq U Tc, where Tc is as before and Fo is the set of triples 
({qo, w,g,p), t, w',g',p)) such that f is a transition (not a rule) of D, and one of the 

following conditions holds; (i) t - {qow q'^w')', or (ii) t - {qow q'jfiv') and 

g - g' ■ We define the abstraction aTS of TS as the obvious generalization of the ab¬ 
straction in Section 3. An accepting path of the (abstract) transition system is an infinite 
path with infinitely many accepting (abstract) configurations. As for MC(FSM, FSM), not 
every accepting path of the abstract admits a concretization, but we find a realizability 
condition in terms of linear constraints. Here we use again the polynomial construc¬ 
tion of Seidl et al. [15] mentioned in the proof of Theorem 1, this time to compute an 
(existential) Presburger formula for the Parikh image of a pushdown automaton. 

Theorem 2. MC(PI)M, FSM) is NP-complete. 


5 MC(PDM, PDM) is in NEXPTIME 

We show how to reduce MC(PDM, PDM) to MC(PDM, FSM). We first introduce the notion of 
ejfective stack height of a PDM-configuration in a run of a PDM, and define, given a 
PDM C, an FSM Ck that simulates all the runs of C of effective stack height k. Then we 
show that, for k e 0{n^), where n is the size of C, the language (L(D) || S || O^L(C)) is 
empty iff (L(D) || S || i^^L(Ck)) is empty. 

5.1 A FSM for runs of bounded effective stack height 

Consider a run of a PDM that repeatedly pushes symbol on the stack. The stack height of 
the configurations^ is unbounded, but, intuitively, the PDM only uses the topmost stack 
symbol during the run. To account for this we define the notion of effective stack height. 

(p)l (v)2 

Definition 3. Let p — cq —> c\ —> • ■ ■ be an infinite run of a PDM on cj-word v, 
where Ci — qiWi. The dark suffix of Ci in p, denoted by ds{wi), is the longest suffix of 
Wi that is also a proper suffix ofwi+kfor every k > 0. The active prefix apiyvf) of w, is 
the prefix satisfying w,- = apiwf) ■ ds(wi). The effective stack height of Ci in p is \ap{wi)\. 
We say that p is effectively k-bounded (or simply k-bounded for the sake of readability) 
if every configuration of p has an ejfective stack height of at most k. Further, we say 
that p is bounded if it is k-bounded for some k e N. Finally, an to-word of the PDM 
is k-bounded, respectively bounded, if it is the word generated by some k-bounded, 
respectively bounded, run (other runs for the same word may not be bounded). 

^ For readability, we write “configuration” for “PDM-configuration.” 
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Intuitively, the effective stack height measures the actual memory required by the 
PDM to perform its run. For example, repeatedly pushing symbols on the stack produces 
a mu with effective stack height 1. Given a position in the run, the elements of the stack 
that are never popped are those in the longest common suffix of all subsequent stacks. 
The first element of that suffix may be read, therefore only the longest proper suffix is 
effectively useless, so no conhguratlon along an inhnite mn has effective stack height 0. 

Proposition 1. Every infinite run of a PDM contains infinitely many positions at which 
the effective stack height is 1. 

Proof. Let powo —> piw\ —> P 2 W 2 —> ■ ■ ■ be any infinite run. Notice that |w,| > 1 for 
every i > 0, because otherwise the mn would not be infinite. Let X be the set of positions 
of the run defined as: i e X iff |w,| < \wj\ for every j > i. Observe that X is infinite, 
because the first configuration of minimal stack height, say pkW^ belongs to it, and so 
does the hrst configuration of minimal stack height of the suffix pk+iWk+i etc. By 

constmction, the conhguration at every position in X has effective stack height 1. □ 

In a k-bounded run, whenever the stack height exceeds k, the k + 1-th stack symbol 
will never become the top symbol again, and so it becomes useless. So, we can constmct 
a hnlte-state machine recognizing the words of L{P) accepted by k-bounded runs. 

Definition 4. Given a PDM P — (Q, P, 6, qf), the FSM P^ - (Qt, 5k, qok), called the 
k-restriction of P, is defined as follows: (a) Qk — Q x r‘ (a state of Pk consists of 
a state of P and a stack content no longer than k); (b) qok — (qo, -L); (c) 6k contains a 
transition (q, (q , (w')i.i) ^ transition (not a rule) ofP. 

Theorem 3. Given a PDM P, w admits a k-bounded run in P ijfw e L(Pk). 

5.2 The Reduction Theorem 

We fix a Biichi PDM D and a PDM C. By Theorem 3, in order to reduce MC(PDM, PDM) 
to MC(PDM, FSM) it suffices to prove the following Reduction Theorem: 

Theorem 4 (Reduction Theorem). Let N - 2\Qc\^\rc\ + L where Qc and Pc are the 
states and stack alphabet ofC, respectively. Let Cm be the N-restriction ofC. VTe have: 

{L(D) II .S II mO) ^ 0 # (L(D) II .S II L-L(C^)) ^ 0 - (t) 

There are PDMs D, C for which (t) holds only for N e Gi\Qc'^\rc\). 

Theorems 4 and 2 provide an upper bound for MC(PDM, PDM). PSPACE-hardness of 
the reachability problem [9] gives a lower bound. 

Theorem 5. MC(PDJM, PDM) is in NEXPTIME and PSPACE-hard. If the contributor is a 
one counter machine (with zero-test), it is NP-complete. 

The proof of Theorem 4 is very involved. Given a run of D compatible with a finite 
multiset of runs of C, we constmct another run of D compatible with a finite multiset of 
A-bounded runs of Cn. (Here we extend compatibility to runs: runs are compatible if 
the words they accept are compatible.) 
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The proof starts with the Distributing lemma, which, loosely speaking, shows how 
to replace a run of C by a multiset of “smaller” runs of C without the leader “noticing”. 
After this preliminary result, the first key proof element is the Boundedness Lemma. 
Let cr be an infinite run of D compatible with a finite multiset R of runs of C. The 
Boundedness Lemma states that, for any number Z, the first Z steps of cr are compatible 
with a (possibly larger) multiset Rz of runs of C^. Since the size of Rz may grow with Z, 
this lemma does not yet prove Theorem 4: it only shows that cr is compatible with an 
infinite multiset of runs of Cf^. This obstacle is overcome in the final step of the proof. 
We show that, for a sufficiently large Z, there are indices i < j such that, not cr itself, 
but the run (cr)i ,((cr),+i for adequate i and j is compatible with a finite multiset of 
runs of Cn- Loosely speaking, this requires to prove not only that the leader can repeat 
{cr)i+\„j infinitely often, but also that the runs executed by the instances of Cat while the 
leader executes (cr),+i ^ can be repeated infinitely often. 

ai <32 

The Distributing Lemma. Let p — cq —> ci —> C 2 —> • • • be a (finite or infinite) run of 

a, 

C. Let r, be the PDM-rule of C generating the transition c,_i —» c,-. Then p is completely 
determined by co and the sequence rir 2 r 3 ... Since co is also fixed (for fixed C), in the 
rest of the paper we also sometimes write p - rir2rj,... This notation allows us to speak 
of dom(p), (p)k, (p)i,j and (p),-..™. 

We say that p distributes to a multiset R of runs of C if there exists an embedding 
function f that assigns to each run p' e R and to each position i e dom(p') a position 
if(p\ i) e dom(p), and satisfies the following properties: 

- (p')i - (p)^(p>j). (A rule occurrence in p' is matched to another occurrence of the 
same rule in p.) 

- f is surjective. (For every position k e dom(p) there is at least one p' e R and a 
position i e dom(p') such that fip', i) - k, or, informally, R “covers” p.) 

- If / < j, then i//(p', i) < f(p', j). (So fip', l)i/^(p', 2) ■ ■ ■ is a scattered subword of p.) 


Example 3. Let p be a run of a PDM P. Below are two distributions R and S of p — 
rafbrtrcfcfc- On the left we have R = {p'j,p 2 ,P 3 ), and its embedding function if] on the 
right S - {cr'j, cr^, cr'), and its function f. 



1 2 3 

P'i 

1 6 

P'l 

125 

P 3 

1 3 4 


1 2 3 4 5 6 


P^rart, rb r^ r^ rc 
P\ = fa A 

P2 = fa rb rc 

P 3 = ra rb rc 



1234 


1 4 

^2 

1 245 


13 5 6 


1 2 3 4 5 6 

P^rarb rb rc rc rc 

crj = ra rc 

0-2 = ra rb rc rc 

cr'^ = ra rb rc rc 


Lemma 5 (Distributing lemma). Let u e L{D), and let M be a multiset of words of 
L(C) compatible with u. Let v e M and let p an accepting run of v in C that distributes 
to a multiset R of runs of C, and let the corresponding multiset of words. Then 
M © jv) © Mr is also compatible with u. 


The Boundedness Lemma. We are interested in distributing a multiset of runs of C into 
another multiset with, loosely speaking, “better” effective stack height. 

Fix a run p of C and a distribution R of p with embedding function f. In Example 3, 
(p)i ..4 is distributed into (p'j)i..i, (p^ 1..2 and (p^i.^. Assumep is executed by one con¬ 
tributor. We can replace it by 3 contributors executing p'j,p 2 ,pj, without the rest of the 
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network noticing any difference. Indeed, the three processes can execute immediately 
after each other, which for the rest of the network is equivalent to the old contributor 
executing one Then we replace the execution of (p) 2..4 by (P 2 ) 2 (pp 2 .. 3 - 

We introduce some definitions allowing us to formally describe such facts. Given 
k e dom(p), we denote by cip, k) the configuration reached by p after k steps. We 
naturally extend this notation to define c(p, 0) as the initial configuration. We denote 
by last^ip', i) the largest position k e dom(p') such that ij/ip' ,k) < i (similarly if none 
exists, we fix last^ip', i) = 0). Further, we denote by c^(p', k) the configuration reached 
by p' after k steps of p, that is, the configuration reached by p' after the execution of 
last^ip',k) transitions; formally, c^{p',k) - c(p',last^(p',ky). 

Example 4. Let p, R, and ijj as in Example 3. Assuming that the PDM P has one sin¬ 
gle state p, stack symbols {±, a) such that the three rules r^, and are given by 
Ka'. p± —> pa±, rt,: pa —> paa, and re', pa —> p, then we have c(p,5) = pa±. Fur¬ 
ther, last^(p[,5) = 1, last^{p2,5) - 3, and last^(p'^,5) = 3. Finally, c^(p[,5) - pa±, 
C|^(P 2 , 5 ) = pa±, andc^(P 2 , 5 ) = pa±. 

Given Z e dom(p) and /T e N, we say that a distribution of p is (Z, K)-bounded if for 
every p' e R and for every i < Z, the effective stack height of c^(p', i) is bounded by K. 
Further, we say that R is synchronized if for every configuration c(p, i) with effective 
stack height 1 and for every p' e R, c^(p', i) = c(p, i) (same control state and same stack 
content), and also has effective stack height 1.^ The Boundedness Lemma states that 
there is a constant N, depending only on C, such that for every run p of C and for every 
Z e dom(p) there is a (Z, A)-hounded and synchronized distribution Rz of p. The key of 
the proof is the following lemma. 

Lemma 6. Let N — 2\Qc\^\rc\ + L Let p be a run of C and Z e dom(p) be the first 
position of p such that c(p,Z) is not N-bounded. Then there is a (Z, N)-bounded and 
synchronized distribution of p. 

Proof sketch. We construct a (Z, A)-bounded and synchronized distribution 
{pa,pb] of p. Let aN+\aN ■ ■ ■ a\Wi) be the stack content of c(p,Z). Define 
[p i, ^ 1 ,^ 2 , ^ 2 ,... ,^ n,*Pn} £ dom(p) such that for each /, 1 < i < N 
we have cipfpi) and cip, *pi) are the configurations immediately after the sym¬ 
bol a, in c(p,Z) is pushed, respectively popped and such that the stack con¬ 
tent of each configuration between p , (included) and p , (excluded) equals 
WpOiai-i ■ ■ ■ aiWQ for some Wp e L*^. We get c(p,pi) - ^,0;,a,■_!... aot^o and 
c(p, Pi) — q'jCTi-i. ■ .ctqwq for some qi,q\ e Qc. Observe that the following holds: 

■pi <■■■ <~Pn-\ <~Pn <Z. <*pn < *Pn-\ <■■■ <*p\. 

Since N — 2\Qc^\Lc\ + 1, by the pigeonhole principle we find q,a,q' and three 
indices 1 < y'l < 72 < ji ^ N such that by letting wi = ■■ ■ai,W 2 - ap-i ■ ■ ■ aj^ 

and W 3 = ap-i ■■ ■ ap, we have: 

P = \-4o:wx\ (p)7t,^^,..-^.^ [^aw2Wi] (p>^[^aw3W2Wi] 

[?'>^3W2Wi] [?'W 2 W 1 ] (p)^.^,,..'^. (p)^,_^,..o, - 

^ Notice that the effective stack height of a configuration depends on the run it belongs to, and so 

cip, i) = efip’, i) does not necessarily imply that they have the same effective stack height. 
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Here, the notation indicates that we reach confignration [qaw\\ after , the 

conhguration {qaw 2 W\ \ after (Pi , etc. 

Now define pa from p by simnltaneonsly deleting (p)^ +, 'p (p)^ ■ We 

similarly dehne pt, by deleting (p)^ +, 'p *p ■ The following shows that pa 

dehnes a legal run since it is given by 

A similar reasoning holds for pi,. Finally, one can show that {pa,Pb} is a (Z, A)-bounded 
and synchronized distribution of p. 

Lemma 7 (Boundedness Lemma). Let N - 2\Qc'^\rc\ + 1, and let p be a run of C. 
For every Z e dom(p) there is an (Z, N)-bounded and synchronized distribution Rz of p. 

The proof is by induction on Z. The distribution if/z+\, Rz+\ is obtained from fz, Rz 
by distributing each run p' of Rz to a ((/^z(p',Z)+ 1, A)-boundedrun (applying Lemma 6). 
Proof sketch of Theorem 4. Given a rnn cr of D compatible with a finite mnltiset M of 
rnns of C, we constrnct another rnn t of D, and a mnltiset R of A-bonnded rnns of 
snch that r and R are compatible as well. We consider only the special case in which 
M has one single element p (and one single copy of it). Since cr is compatible with p, 
we fix a wifness n e S snch fhaf n e cr p. We consfmcf a “lasso rnn” onl of it of fhe 
form Ai [/I 2 ]". If snfRces fo find two positions in n where the content of the store is the 
same, the corresponding conhgurations of the leader are the same, and similarly for each 
contributor; the fragment between these two positions can be repeated (is “pumpable”). 

Given a position i of tt, let ip and ia- denote the corresponding positions in p and 
cr.^ Fnrther, for every Z let Rz be a (Z, A)-bonnded and synchronized distribntion of p 
with embedding fnnction f (which exists by the Bonndedness Lemma). Let Rz{ip) = 
{c^(q, ip) I 77 e Rz} denote the multiset of conhgurations reached by the runs of Rz after i 
steps of 7t. Using Proposition 1 and that (i) the store has a hnite number of values, (ii) Rz 
is (Z, A)-bounded, and (iii) there are only hnitely many active prehxes of length at most 
N, we can apply the pigeonhole principle to hnd a sufficiently large number Z and three 
positions i < j < k <Z 'mn satisfying the following properties: 

(1) The contents of the store at positions i and k of n coincide. 

(2) The conhgurations c(cr, ig.) and c(cr, ka-) of the leader have effective stack height 1, 
same topmost stack symbol and same control state. Fnrther, cr enters and leaves 
some accepting state between ia- and ka-. 

(3) The conhguration c(p, jp) has effective stack height 1. 

(4) For every conhgnration of Rz{ip) there is a conhgnration of Rz{kp) with the same 
control state and active prehx, and vice versa. 

Condition (4) means that, after removing the dark snffixes, Rziip) and Rzikp) contain 
the same prnned conhgnrations, althongh possibly a different nnmber of times (same 
set, different multisets). If we obtain the same multiset, then the fragment of it between 
positions i and k is pnmpable by (1) and (2), and we are done. Otherwise, we nse (3) 
and the fact that Rz is synchronized (which had not been nsed so far) to obtain a new 
distribution in which the multisets coincide. This is achieved by adding new runs to Rz. 

* Position p in ;r dehnes position in cr such that (cr)i p), similarly Pp is 

dehned as satisfying (p)i..pp = Proj^^((n)i,p). 
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6 Appendix 

6.1 Proofs of Section 3 

Proof (of Lemma 2). The proof is by induction on the length of the abstract path of aTS 
from aXo = (qoo, #, a(Po)) = (goo, #, {^ocD to the configuration (go, g, Q). 

The base case corresponds to (gD,g, Q) - (qoD,#, {^ocD- For every p e 7({^oc)) we 
can just take p - p. 

For the inductive case (in which the abstract path has n > 0 transitions), let 
Q\) -Ua (qo^g, Q) be the last transition of the path, and assume t e Tc (in 
the case t e Tq we have Qi - Q and the result follows immediately from the induction 
hypothesis). Let gc and gc' be the source and target state of t, respectively. It follows 
from the definition of —>q, that: 

Q^a{{p'\3pey{Qi)\p>qcLp'^p-qc + qc']) ■ (1) 

By (B) and (1) we have Q - Qi U If q'c ^ Qi then we again get Qi - Q, and the 
result follows from the induction hypothesis. So assume g'^ i Q\. Given an arbitrary 
population p e y{Q), let d — pigc') and consider the population pi - p - dqc' + dqc- 
We have piiq'^) — d - d — 0, and so pi e yiQi). By induction hypothesis, there 
exists p\ e y{Q\) such that p\ > pi and {q\D,gi,P\) is reachable fromXo in TS. Since 
pi > Pi > dqc, the mapping p - pi — dqc + dqc' is non-negative, and therefore a 
population. Now let d contributors of pi execute t e Sc (which is always possible in a 
non-atomic network). We then have 

{qw,g\,Pi} {qD,g,Pi - dqc + dqc) ^ (qD,g,p) 


and we are done. □ 

Proof (of Lemma 3). (^) Assume the cycle is realizable. Then there is an infinite path 

t\ t2 

Co —> Cl — > C2 • ■ ■ of ra such that cq e y(ao), c„-i e y(a„-i) and ci e y{a(k mod «)) 
for every k > n, and the transitions match. Let pi be the population of c,. Since the 
number of contributors of a population remains constant across transitions, we have 
\Pi\ - Ipol for every i > 0. Since there are only finitely many different populations of a 
given size, by the pigeonhole principle there exist ki < k 2 such that pi^^„ = pi,^„. Since 


kin 

Pkin ~ Pk\n "I" ^ ? 

the sum on the right-hand-side is equal to 0. Since 

kin n 

2 Zl(f,)-(k2-ki)^Z((f,) 

i={k\n)+\ i=l 


weget2ti‘^(fi) = 0- 

(<=) Let a,- = (goi, gi, Qi) for every 0 < / < n. By (B) we have Qa Q Qi Q ■ ■ ■ Q Qn ^ Go, 
and so all the Gi are equal to Go- Let pn — YjqeQa and let pt — pn + Yj‘k=i ^(L) for 
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every !</<«. Then is a population for every 0 < i < n, since | Yj'uX ^(4)1 ^ Po- 
Moreover cq ci ^ C 2 • • • c„ is a path of TS and, since YIi=i ^(h) = 0, we have 

tQ tfj 

c„ - Co- So Co ^ Cl ■ ■ ■ ^ Cn is a cycle of TS that can be iterated arbitrarily often, which 

t, t2 t„ 

implies that oq —>q, ai ai' • • —«« is realizable. □ 

Proof (of Theorem 1). In the main text we show that the algorithm runs in nondetermin- 
istic polynomial time. We now prove that it is sound and complete. Then we prove that 
the problem is NP-hard. 

Soundness. The algorithm clearly computes a cycle of aTS satisfying the assumptions of 

to 

Lemma 3. So the cycle is realizable. Let co ^ ci ■ ■ ■ be the realization of the cycle, and 
let Co = (goo, go, Pq)- Since a = aq is reachable from the initial abstract conhguration, by 
Lemma 2 there exists a conhguration Cq = {qDO,go,Po) reachable from (qoo,#, Po) such 
that po > Po- So the sequence (to ... L)" can also be executed from c'g. Since the cycle 
visits some accepting state Qo inhnitely often, TS has an accepting path. 

t\ t2 

Completeness. Let cq ^ ci ^ C 2 • • • be an (i>-path of TS on which the BUchi automaton 
accepts. Since the number of contributors in the populations of the path stays constant, 
there exist, by the pigeonhole principle, two positions ii < h such that c^ - ct^, and 

they are accepting. Clearly, we have ^(h) = 0, hence co —> ci C 2 - ■ ■ c,,-i —> 

j +1 ^>2 

(cj, -> c,|+i ■ • ■ —> Cij)" is also an accepting w-path of TS. By (A) the path has a 

t\ t2 

counterpart in the abstraction aTS, that is, there exists an w-path aq —>« -^a • • ■ in 

aTS such that c, e y(A,) for all i > 0. Notice that (i) the sequence of transitions fired 
along these two paths is the same, and (if) the states of D and the Biichi automaton A 
coincide in c, and a, for all i and so the abstract path is also accepting. For each i > 0, 
let A, = iqDhgi, Qi)- We know from (B) that Qi c g,+i, and so there is a sequence 
C...C Q'^ such that for every i > 0 we have Qi - Q'j for some 1 < j < €■ 
It follows that every abstract configuration of the path belongs to the set Q, and every 
transition to the set T. 

Let i after which the Qi stabilize, that is, Qi - Qi+t holds for every k>0. Therefore, 
there exist numbers i, j such that a, = A,+j and some abstract configuration between 
A, and A,+j is accepting. So the transition system with Q as states and T as transitions 
contains a conhguration a reachable from the initial abstract conhguration, and a cycle 
starting and ending at a. 

Hardness. NP-hardness follows from the NP-hardness of the safety problem [9], which 
asks given a hnite-state machine D for the leader D and C for the contributor C —^both of 
which are languages of hnite words—whether there exists a word of the (2), C)-network 
N that ends with an occurrence of w^/CS). We say that N is safe iff it contains no such 
word. Remark that, for the safety problem, C is assumed to be prehx-closed, hence every 
state of C is accepting. Also, we assume without loss of generality that every word of D 
ends with Wrf($). The reduction goes as follows, given an instance of the safety problem 
turn D into a w-language by appending it rj($)". We also turn C into a tu-language by 
appending it Wc(#)" where # i Q is the corrupted value nobody else can read. At the 
machine level this is done by adding to each accepting state of D a selfloop labeled 
with action r^($) and interpreting 2) as a Biichi automaton. On the other hand since C is 
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prefix closed we have that all its states are accepting. We turn C into a FSM by dropping 
F —the set of accepting states—and by adding a self-loop labelled wd#) to each state. 
This concludes the hardness proof. □ 


6.2 Proofs of Section 4 


Proof (of Theorem 2). Hardness follows from the NP-hardness for MC(FSM, FSM). The 
non-deterministic polynomial time algorithm is essentially the same as that of Theorem 1, 
except that we have pushdown systems instead of finite-state systems. As before, we 
guess a sequence of subsets of Qc such that Qi C for all i, 0 < 

i < { < \Qc\- We construct a Biichi PDM whose states <3 are abstract configurations 
Qd X U {#)) X {{^oc). Qu ■ ■ ■, Qr), whose stack alphabet is T/j, whose initial state is 
= (iJOD, -L,#, {^ocD. whose accepting states are accepting abstract configurations (i.e. 
where A is accepting), and whose transitions are defined to mimic aTS. 

Next, we guess an abstract configuration q and a stack symbol y. We check if there 
is a word that takes ^o-L to qyw for some w e This check is equivalent to pushdown 
reachability and can be performed in polynomial time [7]. We construct a PDA® 
over finite words that accepts a word u e £* if there is a run on u from the starting 
configuration qy to a configuration qyw' for some w' e that passes through an 
accepting abstract configuration. The PDA can be computed in polynomial time. 

Finally, we check if there is a word accepted by the pushdown automaton whose 
“weight” is 0. For this check, as before, we compute an (existential) Presburger formula Q 
for the Parikh image of L(P^y). The free variables of Q are in one-to-one correspondence 
with the transitions of the automaton. We thus adopt the convention that x, denotes the 
variable corresponding to transition f e dz) Udc- We compute Q' by adding \Qc\ variables 
and \Qc\ constraints, one per state in qc e Qc'- Zitgt( 0 =^^ — 2src(0=iz^ where tgt and 
src returns the target and source states of the transition passed in argument. Add also 
the constraints Yitedo'^Sc > 0 to prevent 0 to be returned as a trivial solution. Finally, 
we check satisfiability of Q' and accept if Q' is satisfiable. This step is in NP because 
satisfiability of an existential Presburger formula is in NP [11]. 

To see that the algorithm is sound, notice that the algorithm accepts if there is a 
(pushdown) lasso such that the cyclic part has 0 weight. For an initial population that is 
large enough (essentially, cubic in the size of the PDM), we can execute the operations 
on the path to the lasso and then execute the cycle to come back to the same configuration 
as the starting point of the lasso. This lasso can be pumped infinitely often to produce an 
accepting run of the Biichi PDM. 

For completeness, we use Lemma 4 to deduce that from an accepting run of the 
Biichi PDM, we can find a lasso-shaped path as defined above. By a similar pigeonhole 
argument as that of Lemma 3, we conclude that we can find a cyclic path whose weight 
is 0 . □ 


® A pushdown automaton (PDA) is a PDM which decides languages of finite words. We define a 
PDA as a PDM with a set F of accepting states. 
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6.3 Proofs of Section 5 


Proof (of Theorem 3). We first prove that if v admits an effectively A:-bounded run p in 

(v)i (v)2 

P then w also admits a run in P^. Let p — —> q\W\ —> • ■ •, and let ap(0, resp. 

ds{i), denote the active prefix, resp. dark suffix, of w,. Recall that a state of Pt is a pair 
(q, s), where ^ is a state of P and s is a non-empty stack content of length at most k. 

For every i > 0, we inductively define (qi, ap{i)ui) where «,■ is a possibly empty prefix 

(v),'+l 

of (is(0 and we show that (qi, ap(i)ui) -> (qi+i,ap(i + 1 )m,+i) is a transition of P^. 

We define mq = s. Observe that ap(0) = ± and ds(0) - s, therefore the initial state of 
Pk is in the desired form. For the definition of m,+i, assuming that m, is already defined, 
we consider three cases: 

- The transition qiW, pops a symbol y. 

{v)i+i 

Then qi yv-> qi+\v is a transition of P for every v, and so, in particular, qi yap(i + 

{v)i+i 

1)m, -> qi+i ap(i + 1)m, is a transition of P. Moreover, by the definition of an 

active prefix, we have ap{i) - yap(i + 1) and thus ds(f) — ds{i + 1) therefore m, 
is also a prefix of ds{i + 1). By induction hypothesis, \ap{i)Ui\ < k, which implies 
\ap{i + 1)m,| < k. Setting m,+i to be m, we thus obtain that \ap(i + 1)m i+ll S k and 

(f)/+i 

finally that (qi, ap(i)ui) -> (qi+\,ap{i -H l)Mi+i) is a transition of P^. 

(v)/+i 

- The transition qiWi -> qi+iWi+\ pushes a symbol y, and \ap(r)Ui\ < k. 

iy)i+\ 

Then qiap(i)ui -> qi+iyap(i)ui is a transition of P. Since \ap(i)ui\ < k, we have 

\yap(i)ui\ < k, hence (qi, ap(i)ui) -> (qi+i, yap(i)ui) is also a transition of If y 

(y)i+i 

is popped later on, then ap(i H- 1) = yap(i); so qi ap{i)ui -> ap(i -i- 1 )m, is a 

transition of P, and we set m;+i to m,. If y is never popped, then ap(i +1) - y, and we 
let M,+i to be ap(i)ui. In both cases, we find that \ap(i + 1)m,+i| < k and hence that 

(l),'+i 

(qi, ap(i)ui) -> (qi+i,ap(i + 1 )m,+i) is a transition of P^. 

(v)/+i 

- The transition qiWi -> qi+iWi+i pushes a symbol y, and \ap(r)Ui\ - k. 

(v)/+l 

Then qiap(i)ui -> qi+iyap(i)ui is a transition of P. Observe that since \ap(i)ui\ - k 

we have \yap(i)ui\ = k + 1. First we show that \ui\ > 0, if |m;| = 0 , then |ap(0l = k, 
and more importantly ds(i) is the largest proper suffix of all the (wf)j>i, and since w,- 
is a proper suffix of w,+i, ds(i) is also the largest proper suffix of all the (wf)j>i+\, 
therefore yap(i) - ap(i + 1), so \ap(i H- 1)| = k H- 1 contradicting the hypothesis that 
the run is effectively k-bounded. 

We can therefore write «,■ = u^y . Since \yap(i)ui\ - k + \, (qi,ap(i)ui) -> 

is a transition of P^. If y is popped later on, then flp(/-i-l) = yap(i) 
and Ui+i - u'. If y is never popped, then ap(i + 1) - y, and m,+i = (ap(i)ui)i,±-i. 

In both cases we conclude that \ap(i + 1)m,+i| < k, hence that (qi,ap(i)ui) -> 

(qi+i,ap{i + l)Mi+i) is a transition of P^. 

Now we show that if v admits a run in P^, then it admits an effectively k-bounded 

(v)l (V')2 

run p in P. Let p = v^o) —^ v^i) —^ • • • be a run of Pk for v such that |w/| < k 

(y)\ 

for every i > 0. We inductively construct ... such that p' = (qo^'^o'^'o) —^ 
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{qi,w\w\) —> ■ ■ ■ is a run of P satisfying the following invariant: 

k;+iw'_^ll - |W;W'| > |w;+i| - |w;|, for all / > 0 . (2) 

(v)i 

We start by defining w'^ = s, which trivially satisfies (2). Assume {q{),wow'^ —> 

(v’)i+i (i')i+i 

• • --^ {qi, w/wj) is a run of P satisfying (2), and consider the transition {qi, w/)-> 

{qi+\,Wi+\) of Pk- By the definition of the transitions of P^, there are two possible cases: 

(i')i+i . . . ^ „ 

- qiWi -> qi+\Wi+\ IS a transition of P. 

(y),*+i 

Then qiwfw'- -^ is also a transition of P, and we can take to be 

w', and (2) is satisfied as \wi+iw\^^\ - \wiw'.\ = |w;+i| - \wi\ 

(‘')i+l . . . ^ „ 

- qi'^i -^ qi+i'^i+iy is a transition or P. 

(y)i+\ 

Then |w/| = |w/+i| = k, and ^/W/w'-^ ^/+iw/+iyw' is a transition of P. So setting 

to yw'. satisfies (2) as - |w;w'| = |w,+i| - \wi\ + 1 

The induction is concluded, now we explain the meaning of equation (2). First remark 
that performing a telescope sum, we obtain that for any i, j > 0, - |w,w'| > 

\wi+j\ - \wi\. Since |w;+j| < k and \wi\ > 1, we obtain \wi+jw\^j\ - |w;w'| >l-k. Informally 
it means that the number of symbols in the stack at any position after i can’t be much 
smaller (much meaning k) than at position i. Thus, at every position i, we never eventually 
pop the k top symbols of the stack at that position, as this would yield a configuration 
after i whose stack would be too small and contradict the inequality. Therefore the run 
p' is effectively k-bounded. □ 

Proof (of Lemma 5, the Distributing Lemma). Since u is compatible with M, there 
exists a witness s e L{S) such that s e (m || Since £c Fi - 0, we have 

(« II = (m ^ SO s e (u 1) Therefore there exists an 

interleaving function, i.e. a bijection I : UweueM dom(w) —> dom(s), that assigns to 
each position in each word in m © M a corresponding position in s with the same action. 
Further, the interleaving function satisfies i < j e dom(w) iff J(w, i) < I{w, j). 

For example, if m = wj(l) and M = {wi,W 2 ), where wi = rc(l)Wc(2)rc(l) and 
W 2 = rc{2)wc(l), then we can take s - Wd(l)rc(l)Wc(2)rc(2)wc(l)rc(l), with /(wi, 1) = 2, 
/(wi,2) = 3, /(wi,3) = 5, /(w 2 ,1) = 4, /(w2,2) = 5. 

We have to show that, given v e M, a run p of C accepting a word v, and a distribution 
R of p accepting a multiset Mr of words, then M 0 (v) © Mr is compatible with u. 

Let f be the embedding function of the distribution R. We construct a word s' 
witnessing that u and M © (v) © Mr are compatible. The word s' is a stuttering of s, that 
is, it is obtained from s by repeating some letters of s; since, by definition of the store, 
S is closed under stuttering, we have s' e S. Let s = aifl 2 • • and let i be a position 
of s such that I{v,j) - i for some j e dom(v) (so, loosely speaking, position j in the 
interleaving s comes from the word v e M). Further, let k be the number of runs in R 
such that some position in them is mapped to position j by the embedding function f 
(intuitively, k is the number of runs in R executing the action at position j. Then we 
replace a, by (that is, by the word a,... a, of length k). 

For example, if we distribute wi above to {rc(l)We(2),Wc(2)re(l),Wc(2)), then we get 

= Wrf(l)re(l)(Wc(2)Wc(2)We(2))re(2)Wc(l)rc(l). 
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We clearly have a one-to-one correspondence between positions in and positions 
in M © M © V © Mr. □ 

Proof of the Boundedness Lemma. Before proving Lemma 6 and the Boundedness 
lemma we give an example of two distributions of a finite run that decrease the effective 
stack height, one of them being moreover synchronized. 

Example 5. Consider the two distributions R and S of p — rartrtrcrcrc in Example 3. 
Further assume that the PDM P has one single state p, stack symbols {±, a} such that the 
three rules r* and are given by : p± —> pa±, rt : pa —> paa, and rc : pa —> p. 
Figure 2 graphically depicts the stack contents of the configurations of the runs (the 
control state is always p), and their respective effective stack heights. 
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Fig. 2. Configurations and effective stack heights of the distributions of Example 3. 


We observe that p is effectively 4-bounded. The distribution R is (Z, 2)-bounded for 
every 1 < Z < 6 , because the configurations c^ip'j, i) have effective stack height at most 
2 for every 1 < j < 3 and every 1 < / < 6 . The distribution is not synchronized. Indeed, 
the configuration c(p, 6 ) = p± has effective stack height 1, but c^ip'^, 6 ) = pa± + c(p, 6 ). 
The distribution S is (Z, 3)-bounded for every 1 < Z < 6 and synchronized. Remark that 
in each of {cr'), 2,3 at positions lastf{cr\, 0 ) and last^{cr[, 6 ) (the only two positions at 
which p has effective stack height 1), the stack content is ± thus effective stack height is 
1. 

Proof (of Lemma 6). For convenience, when we want to denote that, say, in a run 
p the configurations reached after (p)i.., and (p)i..j are c and c', we write p = 

[C] (p)i+l..j [C'] (p)j+l..oc. 

We construct a (Z, Af)-bounded and synchronized distribution {pa,Pb] of P- Let 
Q'v+iQ'v • • ■ (Tiwo be the stack content of c(p,Z). Define [p /M ,... ,~p n, *Pn] £ 

dom(p) such that for each /, 1 < / < Af we have cip, p ,) and c(p, p ,) are the configu¬ 
rations immediately after the symbol a, in cip, Z) is pushed, respectively popped and 
such that the stack content of each configuration between p , (included) and p , (ex¬ 
cluded) equals Wpaiai-x ■ ■ ■ aiWo for some Wp e L*^. We get cip, pi) - ... aoWQ 

and cip. Pi) = q\ai-\.. .aowo for some qi,q[ e Qc- Observe that the following holds: 
~PX <■■■ <^N-\ <~Pn <2 <*pn < *Pn-\ <■■■ <^x- 
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Since N - 2|2cPl^cl + by the pigeonhole principle we find q,a,q' and three 
indices 1 < < 72 < js < N snch that by letting wi = ■■ ■a\,W 2 - ■ ■ ■ aj, 

and W 3 = a ■ ■ aj^, we have: 


P = [qawx] [^aw2Wi] [^aw3W2Wi] 

[?'>^3W2Wi] (P)^„„..co ■ 

Now define pa from p by simultaneously deleting (p)^ +, “p ^rid (p)^. ^ ^ . We sim¬ 
ilarly define pt, by deleting (p)^ and (p)^ . The following shows that pa 

defines a legal run since it is given by 

(P)i..l?,. [?'>^i] (p)^„,...co 

A similar reasoning holds for pi,. We conclude by proving two claims. 


(Pa^Pfe) is a distribution of p. The embedding function f for pa (again, the case of p/, is 
analogous) is given by 


fiPa, 0 = 


i + (^h-~Ph) 

i + CPh - th) + CPh 


Ph) 


for 1 < / < p 

for"P 21 + 1 < ;■ < *Ph - (PJ2 -"Pii) 
for^p -Cpp - Pj.) + 1 < i 


{pa,pb} is a (Z, N)-bounded and synchronized distribution of p. Since the effective 
stack height of every configuration of p^ (resp. pf) up to position last^{pa,Z) (resp. 
last^{ph,Zf) is at most N, the distribution is (Z, A)-bounded. Finally, observe that we 
have c(p, 0 = c^(pa,i) = c^(ph,i) for every i < pj^ and every i > p Since all 
configurations of p of effective stack height 1 are in these two areas, the distribution is 
synchronized. □ 

In order to prove the Boundedness Lemma (Lemma 7), we introduce a definition that 
allows us to “nest” distributions (that is, to distribute a run into several runs, and then 
distribute one of these runs again into several runs), while preserving the properties of 
synchronization and boundedness. 

Definition 5. Let R, if/ be a distribution of p. Let p' e R, and let R’, if/' be a distribution 
of p'. The composition ofR, if/ and R’, if/’ is the distribution RQ {p'} ® R', if/" of p, where 
the embedding function if/" is defined as follows: 

- if/"(r, i) — if/{r, i)for every r e RQ [p’], and 

- if/"(r, i) — if/(p’, if/p'{r, ij) for every r e R’. 

The following lemma proves that the composition of distributions is not ill-defined, 
that is, that the composition of distributions is indeed a distribution of p. 

Lemma 8. Let R, if/ be a distribution of p. Let p' e R and let R’, if/' be a distribution of 
p’. The composition R Q {p'} (B R', if/” is a distribution of p. 

Proof We need to show that if/” satisfies the three properties of an embedding function. 
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ip )i — (p}i/r"(p",i)- 

If p" e RQ {p'], then, as i/' is a distribution of p, we have (p")i = By defi¬ 

nition of i/f", we get ij/"{p”, i) - if/ip”, i). If p" e R', then, since if/' is a distribution, 
ip”)i = (p'V(p",o- Since i/f is a distribution (p')j = ip)iHp'j)- Taking j = if/'ip", i), we 
get (p")i = (p')^'(p ",0 = ipMp’,rip"J)) = ip)r{p"A- So, for every p” e Re {p') © R', 
we finally obtain (p"); = ip)r'{p",i)- 

- Surjectivity. 

If k e dom(p), we first exploit the surjectivity of ij/: either there exists p" e Re (p), 
and some i e dom(p") such that i/'(p", i) = k (which means that i/'"(p", i) - k) or 
there is some j e dom(p') such that i/'Ip', j) = k. In the latter case, we then exploit 
the fact that ij/pi is a distribution of p', and deduce that there exists p" e R' and 
i e dom(p") such that il/'(p",i) - y; hence we have il/(p', t//'ip", i)) = k, and so 
i/'"(p", 0 = k. 

- Monotonicity. 

For every p" e Re [p'], from the monotonicity of xj/ we obtain that i/'"(p", i) < 
\li"{p", j) for every i < j . If p" e R', first we derive from the monotonicity of xj/' 
that xj/p'(p", i) < xj/p>(p", j) holds for every i < j. Then, by monotonicity of xjj, we 
obtain ^(p', xf/'(p", ij) < xff(p', xl/'(p”, j)), and so i/'"(p", i) < ^"ip", j). □ 

Lemma 9. Let cr be a run of D, and let M © jp) be a multiset of runs of C compatible 
with cr. Let R,xf/ be a (Z, N)—bounded synchronized distribution ofp. For every p' e R, let 
Rpi,x//pi be a {xf{p',Z) + I,N)—bounded synchronized distribution ofp'. Then 
is a (Z + I, N)—bounded synchronized distribution of p. 

Proof. By repeated application of Lemma 8, p can be distributed to ®p,gg Rp. Let 
W be the corresponding embedding function, obtained also by repeated application of 
Lemma 8. We have to prove that ®p,gg Rp , I?' is a synchronized and (Z H-1, A^)-bounded 
distribution. 

We first show that ©p,gg^p', ^ is synchronized. Assume that the effective stack 
height of c(p, i) is 1. Let p" e ©p-g^ ^p', and let p' be the element of R it corresponds 
to. 

We have to show that lastipip", i) - last^^ ip”, last^ip', /)) (which we easily deduce 
from the fact that lastipip”, i) - lastifip”, xf/ip', last^ip', /))). Since f is synchronized, 
we deduce that Cfip”, i) is the same configuration as c,/,(p', i) - c(p', last^ip', /)) and 
has effective stack height 1. Since xj/p is synchronized, cip',last^ip'p)) is the same 
configuration as (p", last^ip', iJ) — cip”, last^^ ip”, last^ip', /))). 

We now prove that ©p/g^^ps is (Z -i- 1, A)-bounded. Again, we pick p" e 
©p'es^p'’ P' corresponding element of R. We have to show that 

Cipip”,i) has effective stack height at most N for every 0 < i < Z + 1. Since 
last^ip',Z -H 1) < last^ip',Z) + 1, by monotonicity we deduce that lastp(p",Z -H 1) < 
last^p ip”, last^ip', Z) -H 1) and we are done. □ 

Proof (of Lemma 7, the Boundedness Lemma). The proof is by induction on Z. If Z = 1 
then Rq - Ip), because the first configuration of a run has effective height at most 2 
(if the first rule was a push, and that symbol will be later popped). Since by definition 
A > 2, we get that p is (1, A)-bounded. 
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For the induction step, assume that some distribution Rz-\ of p is (Z - 1, A^)-bounded 
and synchronized, and let ^ be the embedding function of the distribution. If Rz-i is also 
(Z, A^)-bounded, we take Rz - Rz-i, and we are done. Otherwise, there is p' e Rz-i such 
that ..., Cfip',Z - 1) are effectively A^-bounded, but Z) is not. 

Informally, this means that the Z-th transition of p was distributed to p'. Let Zp/ be 
that position in p'; formally Z = if/ip',Zpi) (if no such Zp/ exists, c^(p',Z - 1) = c^(p, Z)). 
Since Zp is the first position of p' whose configuration is not -bounded, we have that 
c(p', 0),..., c(p', Zp/ - 1) are A^-bounded, but c(p',Zp) is not. We apply Lemma 6 to 
each such p' and Zp, and get (Zp/, A^)-bounded and synchronized distributions for those 
p': Rp = {Pa,p^)- Let Rz be the distribution obtained by replacing in Rz i every bad mn 
p' by Rp. Then Rz is an (Z, A^)-bounded and synchronized distribution of p. □ 

Example 6. We give an example showing that that the bound on the effective stack 
height used in the Boundedness Lemma is optimal: for any smaller bound, the lemma is 
no longer true. 

We build a PDM with ky +k 2 + I states and with stack alphabet {±) U [1, ^ 3 ], where 
k\,k 2 , k-i are distinct prime numbers. With the k\ first states, we build a circuit that pushes 
the word (1... k^f' onto the stack. After that, the PDM leaves this circuit, and enters 
another one, consisting of k 2 states, that pops k 2 stack symbols. The PDM can only leave 
this circuit from its first state, and only when ± is the topmost stack symbol; if and when 
this condition holds, the PDM moves to the last state, from where it writes victory in the 
store. It should be clear that, in order to reach the last state, the stack of the PDM must 
reach a height of at least (1 H- k\k 2 k 2 ) symbols. Therefore, no run reaching the last state 
can be distributed into runs exhibiting a lower effective stack height. 

We now show that we can further improve this example so as to show that a single 
instance of the contributor run in parallel with a special leader may reach the last state, 
but at least two instances of its A-restriction are required, for at least one of them 
reaching that state. 

It is possible for the leader to be informed whenever a contributor takes a loop (once 
in each loop the contributor informs the leader through the store and pauses until it 
receives acknowledgment through the store). Then the contributor asks permission before 
entering in the last state. If the leader only grants permission if he was informed exactly a 
multiple of ^4 times of the entrance of some contributor in some loop, then if there is only 
one contributor, he may reach the victory state by growing a 1 - 1 - kik 2 A: 3 k 4 -sized stack, 
which is too large for its A-restriction. Therefore a single instance of the A-restricted 
contributor does not suffice. At least two are required for an accepting run. □ 

Proof of the Reduction Theorem. Finally, we give the proof of the Reduction Theorem. 

Proof (of Theorem 4). Let w be a word of L(D) and let M a be multiset of words of C 
compatible with w. Let s be a witness of compatibility, and let I be the corresponding 
interleaving function (as introduced in the proof of the Distributing lemma). Recall that 
s is an interleaving of w and M, that I(w, i) is the position of s at which we find the f-th 
letter of w, and that /(v, j) is the position of s at which we find fhe y-fh leffer of v, for 
every v e M. 

Let cr be an accepting run of w, and let R be a multiset of mns accepting each element 
of the multiset M. The proof follows three steps: 
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(1) We find a sequence of positions of s corresponding to actions of the leader, such that 
both the run of the leader and s can be pumped between any two such positions. 

(2) We take a position far enough in this sequence, say X, and distribute all the runs 
of R into a multiset R^, such that every run of R^ is A^-bounded up to position Z. 
We show the existence of two positions, say X, Y, both smaller than X, satisfying 
the following condition. Take the multisets of configurations of the runs of R^ at 
positions X and Y, and “prune” them by removing their dark suffixes. Let Cx and 
Cy be the resulting multisets of pruned configurations. Then Cx and Cy have the 
same support (that is, they contain the same elements, although not necessarily the 
same number of times). 

(3) We show that by adding more runs to R^, we can obtain a new distribution for which 

the multisets Cx and Cy not only have the same support, but are equal. We then show 
that the runs executed by the leader and by the contributors of this new distribution 
between positions X and Y can be pumped. This yields a word wiw" e L(D) (where 
W 2 is the word executed by the leader between positions X and Y) compatible with 
a multiset of words of the form {vuv^p ... (where V 21 , ■ ■ ■V 2 n are the runs 

executed by the contributors between positions X and Y), and for which we can find 
a witness of compatibility of the form sis"> where si is an interleaving of wi and 
{vii,..., vi„), and S 2 is an interleaving of W 2 and {v 2 i,..., V 2 „) 

Step (1). Since cr is an infinite run of D, by Proposition 1 it contains infinitely many 
positions of effective stack height 1. By the pigeonhole principle, from this sequence of 
positions we can extract an infinite subsequence of configurations with the same control 
state and topmost stack symbol. Since cr is also an accepting run of the Biichi automaton 
A, we can further extract from this sequence an infinite subsequence such that between 
any two positions an accepting state of A is visited. Let (f?,) denote the image of this 
last infinite sequence by I. That is, (bi) denotes the infinite sequence of positions of s 
obtained by the procedure above. 

Now from (bi) we extract a subsequence (c,) such that between any two elements of 
it, every run of R reaches a configuration with effective stack height 1. More formally, 
for every i and for every p e R, there exists / 2 ,_p 6 dom(p) such that c(p, Ppj) has effective 
stack height 1 and c, < I(p,pp i) < c,+i. Since, by Proposition 1, every run of R reaches 
infinitely often such configurations, (c,) exists. This gives us our sequence of positions 
in s. 

Step (2). Let t - + 1, and let X — Ct (that is, X is the position of 

the t-th element of the sequence (c,)). For each run p e R, let Zp denote an element of 
dom(p) such that I(p, Zp) > X- By Lemma 7, we can distribute each run p e R into a 
(Zp,N)-bounded multiset Rp (with embedding function i/rp). 

For every f > 1, let ^p,, be the largest position of dom(p) such that J(p, qpj) < ci, and 
let Rp(qp i) - {c^^, ( t , qpj) \ t e Rp} be the multiset of configurations of Rp at the position 
corresponding to qpj. We denote by ap(i) the result of removing the dark suffixes of the 
configurations of Rp(qpj). We call the result pruned configurations. 

If i < t, then, by the definition of Rp, all the active prefixes of Rpiqpj) are N-bounded. 
So the pruned configurations of Q'p(0 consist of a control state and a stack content of 
length at most N, and therefore the number of possible pruned configurations is bounded 
by It follows that that the number of possible sets (not multisets!) of 
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pruned configurations is strictly smaller than t. So by the pigeonhole principle we find 
two elements c/ and of the sequence (c,), where I < r < t, such that ap{J) and ap{r) 
have the same support for every p, (i.e. the sets are equal though the multisets may not 
be). 

Step (3). We show how to modify the distributions Rp so that the multisets CTpCO and 
ap{r) not only have same support, but are equal. Observe that, even though the multisets 
are not equal, they have the same cardinality. We introduce new runs in the distribution 
to “balance” these multisets. Denote by a the common support of ap(0 and ap{r). For 
every a e a, we find two runs p^ and p^ in Rp such that qpj) and qp^r) have 

pruned configuration a. 

Now we define a new distribution of p to a multiset Rp © {pa,a' \ a, a' e a] with 
embedding function ip'p. The run pap is such that the pruned configuration c^^ipap,qp,i) 
is a and c^'^ipap, qp,r) is a' : informally pap does as p^ up to position i/^p(p^, Ppj), and 
then as pj^, from iAp(Pa/,Pp,;)- Formally, i// is the same as if/p over each t e Rp, and 

^l^p(Pa,a',i) = >l^p(p‘a,i) when i < lj/p(p‘^, Ppj) and if/piPapJ) = ^p(Pa,i - ^p(p‘a,Pp,l) + 

^piPa', Pp,d) when i > if/pipa^ Ppj). Observe that since c(p, Ppj) has effective stack height 
1, it is exactly the same configuration as c^^(p‘^,ppj) and ppi). It is also the 

same configuration as cp^(pa,a',Pp,d- So pa,a' is a run of C, and if/'p is a synchronized 
(Zp,N)-bounded distribution of p. By adding to Rp sufficiently many instances of the 
appropriate pa,a', we obtain a new distribution R'p of p, such that the two multisets ap(0 
and ap{r) are the same. 

By the Distribution Lemma, the word w is compatible with the words of the runs 
©peK ^p- ttbea witness of compatibility. Consider the fragment of n between the 
positions corresponding to c/ and Cr in n. The content of the store is the same at these 
two positions. Also, recall that we chose the (c,) so that the projection of the fragment 
onto the actions of the leader can be repeated infinitely often. Denote by w® the run of 
the leader consisting of repeating the subrun between positions corresponding to c/ and 
Cr- Finally, for each R'^, the multiset of pruned configurations of R'^ at positions c/ and 
is the same, each run in R'p has effective stack height 1 at c; and Cr, and is A-bounded on 
that fragment. This does not mean that for every run t e Rp the pruned configuration 
will be the same at those positions, but that there exists a permutation p of Rp such that 
the pruned configuration of t at position c/ is the same as p ( t ) at position Cr- Denoting 
4 = (T,pp.,)+i..c^, (T.p„.p, we get that the multiset {(t)i..c^, ...{re 

R'p,p e R} is a multiset of A-bounded runs, that is compatible with w^. This concludes 
the proof. □ 
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